CentOS 6
Sponsored Link

Rsyslog : Output logs to Remote Host
2015/03/31
 
Configure Rsyslog to output logs to remote host.
This example based on environment below.
(1) dlp.srv.world           [10.0.0.30]    Log Managed Server
(2) node01.srv.world     [10.0.0.51]     Client Server (Output logs to Managed Server)

[1] Configure Log Managed Server to receive logs from client servers.
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 17, 18: uncomment

$ModLoad imtcp
$InputTCPServerRun 514
# specify senders you permit to access

$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
[root@dlp ~]#
/etc/rc.d/init.d/rsyslog restart

Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[2] Configure Client Servers.
[root@node01 ~]#
vi /etc/rsyslog.conf
# for exmaple, output logs for "authpriv.*" to remote host

authpriv.*    
@@dlp.srv.world:514
# line 73: uncomment all

$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1   # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g     # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on   # save messages to disk on shutdown
$ActionQueueType LinkedList     # run asynchronously
$ActionResumeRetryCount -1      # infinite retries if host is down

[root@node01 ~]#
/etc/rc.d/init.d/rsyslog restart

Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[3] After configuration of above, logs for kinds of authentication are recorded on Log Managed Server like follows.
[root@dlp ~]#
tail -10 /var/log/secure

Apr  1 02:50:24 dlp login: DIALUP AT ttyS0 BY root
Apr  1 02:50:24 dlp login: ROOT LOGIN ON ttyS0
Apr  1 21:56:35 node01 login: pam_unix(login:session): session closed for user root
Apr  1 21:56:41 node01 login: pam_unix(login:session): session opened for user root by (uid=0)
Apr  1 21:56:41 node01 login: DIALUP AT ttyS0 BY root
Apr  1 21:56:41 node01 login: ROOT LOGIN ON ttyS0
Apr  1 21:57:46 node01 sshd[1022]: Accepted password for cent from 10.0.0.30 port 51970 ssh2
Apr  1 21:57:46 node01 sshd[1022]: pam_unix(sshd:session): session opened for user cent by (uid=0)
Apr  1 21:57:46 node01 sshd[1024]: Received disconnect from 10.0.0.30: 11: disconnected by user
Apr  1 21:57:46 node01 sshd[1022]: pam_unix(sshd:session): session closed for user cent
[4] If you'd like to separate logs for a Host, for a date, Configure like follows.
[root@dlp ~]#
vi /etc/rsyslog.conf
# add: define logfiles

$template Secure_log,"/var/log/secure.d/%fromhost%_%$year%%$month%%$day%.secure"
# add: specify logfiles defined above.

authpriv.*    
-?Secure_log
[root@dlp ~]#
/etc/rc.d/init.d/rsyslog restart

Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@dlp ~]#
ll /var/log/secure.d

total 8
-rw------- 1 root root 376 Apr  2 12:58 10.0.0.51_20150402.secure
-rw------- 1 root root 368 Apr  2 12:59 dlp_20150402.secure
 
Tweet